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Digitization  Is  A  Key  Enabler 
To  Gaining  Information  Dominance 


<♦ 

•^AsTif  More  accurate  decisions 


Dominant  Maneuver  thru 
Situational  Awareness 


Dominant  Maneuver  thru 
Collaborative  Plannin 
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DISTRIBUTES  SITUATIONAL  AWARENESS 
INFORMATION  RAPIDLY 


Precision  Engagement 


Focused  Loaistics 


Dominant  Maneuver  thru 
Greater  Mobility  &  Flexibility 


INFORM 
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ANTICPATORY  LOGISTICS 


Battlefield  Communications  Overview 


Information  System  Security 


Provide  commanders  and  their 
staff  with  information  that  is : 

•  Timely 

•  Accurate 

•  SECURE 

•  Performance  and  Security 
Balanced 

(THESE  ARE  ALL  PROTECTION 
REQUIREMENTS!!!) 

Command  and  Control 


Protection  Tenets 


•  Defense  in  depth 

•  Protect,  detect,  &  react 
(C2P  Tools,  IDS,  Security  Mamgf 


Situation  Awareness 


Commander’s  Intent 
and  Assessment 


Directives 


Intelligence,  and 
Engagement  Data 


Logistic  Reports 
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First  Digitized  Division  (FDD) 
Security  Architecture 


SECRET  SYSTEM  HIGH! 
NETWORK  I 


2nd  Layer 


3rd  Layer 


FBCB2 


Network 

Intrusion 

Detection 

System 


ABCS  Systems  & 
Office  Automation 


User  Laptops 


Legend 

(t  Firewall 

O  In  Line  Network  Encryptor 
K  Network  Intrusion  Device  System  (NIDS) 


Back-end  Connections 


Legend 


Secret  System  High 


Sensitive  But 
Unclass  (SBU) 


Host-Based  C2  Protect 


Hosts  Systems 

-  As  a  minimum,  all  host  systems  will 
meet  DOD  5200.28-STD  Class  C2  Protection 
Level  Requirements 

-  All  hosts  systems  will  incorporate  network  authentication, 
integrity,  and  access  control  mechanisms  in  accordance 
with  the  Army  C2  Protect  Program 

-  Hosts  systems  will  incorporate  intrusion  detection 
functionality  to  extent  possible/practical 

Applications 

-  Strong  authentication,  integrity,  access  control  and 
non-repudiation  mechanisms  as  required  per  service 


Goal  is  to  Implement  common 


Host-Based  C2  Protect  Tools 


TCP  Wrappers  to  protect  transaction 

Security  Profile  Inspector  (SPI)  to  maiitain 
configuration 


SWATCH  to 
alert  on 
audit 
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•  Network  Associates  Anti-Virus 

•  Password  Checkers 


Currently  installed  on  all  ABCS  systeM 
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Current  “Commercial  Off  The  Shelf’ 
(COTS)  Integration  Efforts 


Purge  Routines 

-  Reviewing/evaluating  products  available 
for  complete  memory  purge  to  transition 
workstations  between  classified  and 
unclassified  roles 


Secure  Client  -  Server  Services 

-  Reviewing/evaluating  products 
that  can  provide 

.  Authentication 

.  Encryption 

in  the  multiple  DCE  cell  environment  of  the 
Tactical  Operations  Center 


Inter-TOC  and  Intra-TOC  Data  Distribution 


TOC-1 


M-1068  M-1068 
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M-1068 


M  ixture  of  clients 
and  servers 


Inter-TOC 

Current  Technology 

’  USMTF  (Sendmail- 
based) 

•  FTP  and  E-mail 

•  Web  (HTTP) 

•  VMF 

'  GBS-BADD 


Future  Technolo 


Additional  VMF, 
GBS_BADD  traffic 

Database 

Synchronization 

F  ormalized  E-Mail 

Expanded  SA  Service 


Intra-TOC 

*  Database  SR 
(Subscribing  / 
Receiving) 

•  RPCs 

#  ORBs/MOM 
'  SQL  Net 

•  WEB 

’  NFS,  DFS 


Inter-TOC/Inter-Cell  Distribution 
BWmML  between  servers} 


TOC  2/A-Cell 

M-1068  M-1068 


IhsssSH 


M-1068 


M-1068 


TOC  2/B-Cell; 


Operational 

Issues 

•  Autonomy 

•  Jump  and  Split 
TOCs 

•  Reliability 

•  Network 
Bandwidth  and 
Contention 


C«tur 
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COTS  Example 


.  Combines  the  strengths  of  Secret  Key  and  Public 
Key  encryption  technologies 

.  Provides  comprehensive  security  framework  for 
all  TCP/IP  based  applications 

-  Includes  single  sign-on 
...  in  a  completely  transparent  manner 


TCP/IP  Applications 


COTS  Secure  Capabilities 

•  Authentication  and  single  sign-on 

•  Standardized  authorization  across  all 
applications 

•  Data  protection  services,  smart  Virtual  Private 
Network  (VPN) 


*  Dynamic  support  for  new 
protocols 

*  Centralized  management, 
connection  monitoring 

*  Auditing,  accounting,  event 
notification 


Public  key  certificate  services 


C2  Protect  Integration 

Master  FDD  Schedule  (Version  1.3) 


SE99-1 

10  Aug -17  Dec 


Key  Master  1( 

Eveats  Ramp-up 


Integration 


<For  Secure 
Operations) 


SE99-2  SE00-1 

10  JUN-31  OCT  10  JAN -28  FEB 

■  ■ 

Y2K  Technical 
Validation 

19-31  Aug  99  17-31  Oct  99  ^ 
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FBCB2  FDT&E  IOT&E  MS  Hi 


SEOO-2 

1  JUN  -16  AUG 


15  SEP  00 


Capstone 

Exercise 
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ABCS  4.0 


1  Apr-31  July 

5.0 


ABCS  5. 


1Dec~1Feb 


;  3tMar^31May 
6.1 


ABCS  6. 


TCP  Wrappers 
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SWATCH 

Anti-Virus 

Firewatis 


COTS,  TOC 
Security  Pkg 


3D 

Accreditation 


NTWK 

IDS 


Host  IDS 

Security  Manader 


FBCB2  Initial  Protection  Capabilities 

Oct  ‘99 


>  FBCB2  authenticates  to  the  router  upon  request 
to  grant/validate  network  access 

>  Access  control  to  data  based  on  clearance  level 

-Clears  C2  data  when  operational  level  lowered 
toSBU 

-  Capability  for  any  user  to  initiate  both  disk 
overwrite  and  resetting  of  the 
router  to  factory  default 

>  Audit  reports  generated  and 
forwarded  to  designated 
collection  points 


FBCB2:  Force  XXI  Battle  Command  Brigade  and  Below 


FBCB2  Capabilities  Planned  for  FDD 

Sep  ‘00 

Remote  security  management 

-  Load  passwords 

-  Control  system  access:  three  operational  capabilities 

.  Challenge  a  user  to  re-authenticate  without  interfering  with  the 
mission 

.  Lock-out  the  user  until  re-authentication 

.  Disable  -  through  overwrite  of  the  disk  and  reset  of  the  router  to 
its  factory  default 

-  Authentication  through  the  use  of  digital  signature 

.  Security  management  transactions 
initiated/signed  by  security  manager 
and  sent  to  remote  FBCB2 

Ongoing  evaluation  of  C2  Protection 
enhancements 

-  Message  authentication,  intrusion 
detection,  malicious  code  detection 
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FBCB2:  Force  XXI  Battle  Command  Brigade  and  Below 


Summary  FBCB2  Security  Policy 

Each  Computer  Maintains  a  SECRET  System  High  Posture 
Discretionary  Access  Control  (DAC)  of  SECRET  Data  is  Enforced  at  End-Points 

At  Sending  End  -  At  Receiving  End  - 

Manual  review  required  Hard  rejection  of  messages 

for  message  remark  marked  above  User  level 


Secret  User 


Human  Review 
and  “Remark” 


FBCB2 


Legend 

§  Message  Rejection 

^  Message  Remarked 

SBU  Sensitive  But  Unclassified 

S  Secret 

Future  Force  XXI  C2P 


.  Selective  Purge 

.  Host  Intrusion  Detection  Systems 

.  Tactical  network  guards  to  allow  information 
exchange  automatically  between  classification 
levels 


Summary 


Information  Assurance  (IA)  is  a  proactive  and 
imperative  part  of  the  Army  Digitization  Program 

PEO  C3S  PMs  will  continue  to  aggressively 
pursue  emerging  assurance  technologies,  e.g. 

-Smart  cards  for  user  authentication 

-  Biometrics  for  access 
control 

-  Personal  /  host-level 
firewalls 
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Biometrics  for  Access  Control 


